Lucene search
K

265 matches found

OSV
OSV
added 2026/06/25 10:34 p.m.3 views

GO-2026-5662 Prometheus has Stored XSS via metric names and label values in Prometheus web UI in github.com/prometheus/prometheus

Prometheus has Stored XSS via metric names and label values in Prometheus web UI in github.com/prometheus/prometheus...

6.1CVSS6.1AI score0.0024EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-50178

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code...

8.8CVSS5.9AI score0.00275EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/22 3:20 p.m.11 views

EUVD-2026-38264

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option located in client/src/client.ts. This setting instructs VS...

8.7CVSS5.9AI score0.00275EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 3:20 p.m.3 views

CVE-2026-50178

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option located in client/src/client.ts. This setting instructs VS...

8.7CVSS5.9AI score0.00275EPSS
Exploits0References2Affected Software2
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.13 views

PT-2026-51338

Name of the Vulnerable Software and Affected Versions Angular Language Service VS Code Extension versions prior to 21.2.4 Description The client-side extension configures the tooltip Markdown renderer with the isTrusted: true option, causing VS Code to trust all rendered content and enable active...

8.8CVSS5.9AI score0.00275EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 9:16 p.m.13 views

CVE-2026-45014

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available...

5.3CVSS0.00286EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:48 p.m.10 views

EUVD-2026-36573

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available...

5.3CVSS4.9AI score0.00286EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 2:34 p.m.8 views

CVE-2026-53693 MISP BSimVis stored cross-site scripting in tag and cluster rendering paths via unescaped tag metadata and UI labels

A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS...

6.9CVSS5.5AI score0.00277EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.11 views

Apache ECharts 安全漏洞

Apache ECharts is a data visualization charting library from the Apache USA Foundation. A security vulnerability exists in Apache ECharts versions prior to 6.1.0, which stems from a failure to escape HTML strings in the rendering logic of the Lines family of tooltips, potentially leading to a...

6.1CVSS5.6AI score0.00759EPSS
Exploits0References6
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.13 views

Astra Linux – Vulnerability in Firefox

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have led to this text being interpreted by the webpage. This vulnerability affects Firefox versions...

4.3CVSS6.3AI score0.00493EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/06 12:0 a.m.10 views

Zabbix 跨站脚本漏洞

Zabbix is a set of open-source monitoring systems developed by Zabbix Inc. This system supports network monitoring, server monitoring, cloud monitoring, and application monitoring. Zabbix has a cross-site scripting vulnerability. This vulnerability arises because non-super administrators who have...

7.3CVSS5.8AI score0.00285EPSS
Exploits0References1
OSV
OSV
added 2026/04/15 10:26 p.m.1 views

CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

5.3CVSS6AI score0.0024EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/15 10:26 p.m.23 views

CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

5.3CVSS0.0024EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/15 10:26 p.m.3 views

CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/13 4:39 p.m.15 views

Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer

Impact Stored cross-site scripting XSS via crafted metric names in the Prometheus web UI: Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script...

6.1CVSS6.2AI score0.0024EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/13 4:39 p.m.3 views

GHSA-VFFH-X6R8-XX99 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer

Impact Stored cross-site scripting XSS via crafted metric names in the Prometheus web UI: Old React UI + New Mantine UI: When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into innerHTML without escaping, causing arbitrary script...

6.1CVSS6.2AI score0.0024EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/13 4:39 p.m.8 views

Cross-site Scripting (XSS)

Overview github.com/prometheus/prometheus/web/ui is a systems and service monitoring system Affected versions of this package are vulnerable to Cross-site Scripting XSS via various UI components whose innerHTML is rendered unsanitized, based on user input. The metric names and label values used b...

6.1CVSS5.3AI score0.0024EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/07 5:7 p.m.5 views

CVE-2026-33404

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

6.1CVSS5.9AI score0.00145EPSS
Exploits0References1
NVD
NVD
added 2026/04/06 3:17 p.m.8 views

CVE-2026-33404

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

6.1CVSS0.00145EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/06 2:48 p.m.30 views

CVE-2026-33404 Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

3.4CVSS0.00145EPSS
Exploits0References1
Rows per page
Query Builder